Unhackable: Windows Challenge Network not Penetrated

(Seattle, Wash.) After 31 hours and 40,000 attacks, the Windows
2000 network set up and hardened during the MCP TechMentor Summit on Security
remained uncompromised. The purpose of the Challenge was to see how secure
a Windows network could be made using standard security checklists and
best practices, without any special software or steps being taken. Judging
by the results, it can be done -- and done well.

Mark Burnett, who monitored the network with the intrusion detection
tool Snort, said that on the second day of the Challenge the attacks got
more creative. "Everyone eliminated the more basic stuff and did more
interesting stuff," Burnett said. "The big lesson is not what we saw but
what we didn't see. The fact for most companies is that most attacks are
basic. If you follow basic principles," then your network should be able
to turn back the majority of attacks, according to Burnett.

In reality, there was one successful attack, but not through the network.
Burnett decided to try gaining physical access to the network, in violation
of the stated rules. He said he did it to prove a point. "The fact is
you can't set rules for hackers. So I thought I'd try a physical attack
although we were told not to. The fact is that if you can get physical
access to a server, you can get in. I cheated, I broke the trust," Burnett
said.

Burnett filled the security guard full of soda, waited until he had to
go to the bathroom, and changed the username and password for the administrator
account on a server.

Steve Riley, a Microsoft security expert who configured security for
the Exchange server on the Windows Challenge network, said the attack
should serve as a warning to companies. "The people with the broadest
and most thorough access to your company are the lowest-level employees,
the security guards and janitors. It's something you're going to have
to think about."

Conference chairperson and Microsoft Certified Professional Magazine
Contributing Editor Roberta Bragg echoed those sentiments. "Anyone you
trust, you should monitor them, audit them. We have to have that in place."

The Windows Challenge had a Web site open to the Internet, and attacks
came from all over the world, from as far away as Asia. In the end, though,
no electronic attacks were able to penetrate the network. Several speakers
commented that the result points to the human factor as the most important
one in proper network security. If the administrator is thorough and diligent,
most attacks can be stopped. "It's your admin that gets attacked, not
the system, not the application," Burnett said.

SQL expert Ted Malone, who hardened the SQL server for the Challenge,
agreed. "You're only as strong as your weakest link," he said.

The MCP TechMentor Summit on Security was a three-day conference focused
on Windows security topics.